Cybercriminals are getting faster at exploiting vulnerabilities

Cybercriminals are targeting the ever-increasing number of new vulnerabilities resulting from the exponential growth in the number and variety of connected devices and an explosion in new applications and online services, according to Fortinet. It’s only natural that attacks looking to exploit those vulnerabilities would rise as well.

The latest semiannual report is a snapshot of the active threat landscape and highlights trends from July to December of 2023, including analysis on the speed with which cyber attackers are capitalizing on newly identified exploits from across the cybersecurity industry and the rise of targeted ransomware and wiper activity against the industrial and OT sector.

Attacks started on average 4.76 days after new exploits were publicly disclosed: Like the 1H 2023 Global Threat Landscape Report, FortiGuard Labs sought to determine how long it takes for a vulnerability to move from initial release to exploitation, whether vulnerabilities with a high Exploit Prediction Scoring System (EPSS) score get exploited faster, and whether it could predict the average time-to-exploitation using EPSS data.

Vendors’ obligation to disclose vulnerabilities

Based on this analysis, the second half of 2023 saw attackers increase the speed with which they capitalized on newly publicized vulnerabilities (43% faster than 1H 2023). This shines a light on the need for vendors to dedicate themselves to internally discovering vulnerabilities and developing a patch before exploitation can occur (mitigate instances of 0-Day vulnerabilities). It also reinforces that vendors must proactively and transparently disclose vulnerabilities to customers to ensure they have the information needed to effectively protect their assets before cyber adversaries can exploit N-day vulnerabilities.

It’s not just newly identified vulnerabilities that CISOs and security teams must worry about. Fortinet telemetry found that 41% of organizations detected exploits from signatures less than one month old and 98% of organizations detected N-Day vulnerabilities that have existed for at least five years.

FortiGuard Labs also continues to observe threat actors exploiting vulnerabilities that are more than 15 years old, reinforcing the need to remain vigilant about security hygiene and a continued prompt for organizations to act quickly through a consistent patching and updating program, employing best practices and guidance from organizations such as the Network Resilience Coalition to improve the overall security of networks.

Less than 9% of all known endpoint vulnerabilities were targeted by attacks: In 2022, FortiGuard Labs introduced the concept of the “red zone,” which helps readers better understand how likely it is that threat actors will exploit specific vulnerabilities. To illustrate this point, the last three Global Threat Landscape Reports have looked at the total number of vulnerabilities targeting endpoints.

In 2H 2023, research found that 0.7% of all CVEs observed on endpoints are actually under attack, revealing a much smaller active attack surface for security teams to focus on and prioritize remediation efforts.

Ransomware attacks increasingly target critical industries

44% of all ransomware and wiper samples targeted the industrial sectors: Across all of Fortinet’s sensors, ransomware detections dropped by 70% compared to the first half of 2023. The observed slowdown in ransomware over the last year can best be attributed to attackers shifting away from the traditional “spray and pray” strategy to more of a targeted approach, aimed largely at the energy, healthcare, manufacturing, transportation and logistics, and automotive industries.

Botnets showed incredible resiliency, taking on average 85 days for command and control (C2) communications to cease after first detection: While bot traffic remained steady relative to the first half of 2023, FortiGuard Labs continued to see the more prominent botnets of the last few years, such as Gh0st, Mirai, and ZeroAccess, but three new botnets emerged in the second half of 2023, including: AndroxGh0st, Prometei, and DarkGate.

38 of the 143 advanced persistent threat (APT) groups listed by MITRE were observed to be active during 2H 2023: FortiRecon, Fortinet’s digital risk protection service, intelligence indicates that 38 of the 143 Groups that MITRE tracks were active in the 2H 2023. Of those, Lazarus Group, Kimusky, APT28, APT29, Andariel, and OilRig were the most active groups.

Threat actors’ activity on the dark web

The report also includes findings from FortiRecon, which give a glimpse into the discourse between threat actors on dark web forums, marketplaces, Telegram channels, and other sources. Some of the findings include:

• Threat actors discussed targeting organizations within the finance industry most often, followed by the business services and education sectors.
• More than 3,000 data breaches were shared on prominent dark web forums.
• 221 vulnerabilities were actively discussed on the darknet, while 237 vulnerabilities were discussed on Telegram channels.
• Over 850,000 payment cards were advertised for sale.

“The 2H 2023 Global Threat Landscape Report from FortiGuard Labs continues to shine a light on how quickly threat actors are taking advantage of newly disclosed vulnerabilities. In this climate, both vendors and customers have a role to play. Vendors must introduce robust security scrutiny at all stages of the product development life cycle and dedicate themselves to responsible radical transparency in their vulnerability disclosures. With over 26,447 vulnerabilities across more than 2,000 vendors in 2023 as cited by NIST, it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation,” said Derek Manky, Chief Security Strategist and Global VP Threat Intelligence, FortiGuard Labs.